Preparation Checklist

Task	Description	Timeline
Production DNS Records	Determine if DNS records will need to be modified post migration. If Persistent Agents are deployed using GPO or a software management program, note the following: Persistent Agents communicate using the Application Server’s FQDN. See in the Persistent Agent Deployment and Configuration reference manual for more information. FortiNAC-F appliance will have the hostname and eth0 IP address of the Control Server once migration is complete. Due to the above, both the Application Server and Control Server FQDNs will need to resolve to the Control Server eth0 IP address.	Any time prior to starting the migration.
README and NOTES Files	Check for the existence of README or NOTES files in the CentOS appliances. Log in to the CentOS appliance CLI as root and type: cd /bsc/campusMgrUpdates/ grep –i readme grep -i notes If either a README or NOTES file exists: Run the following commands and copy output to a text file (match case with filename if different than below) cat README cat NOTES Open a support ticket. Attach the text file to verify what actions will be necessary (if any) post migration.	Any time prior to upgrading software.
Software Upgrade	Upgrade all CentOS appliances to the required version (see Requirements). Review the Release Notes for both CentOS and FortiNAC-OS appliances (if different) including: Upgrade Requirements Upgrade Considerations Pre-Upgrade Procedures What’s New Known Issues Device Support Considerations For instructions, refer to the OS and Software Upgrade Cookbook.	Several days prior to starting the migration.
Product Registration (Step 1) /Endpoint License Entitlements Transfer (Step 2)	New products must be registered prior to requesting entitlements transfer. These steps do not affect current functionality.	Two weeks prior to the maintenance window.
Maintenance Window Planning	If FortiNAC is already managing network access, a maintenance window is required to perform the last two migration steps (Collect & Transfer CentOS Migration Data and Cutover). During this time: VLANs will not be switched RADIUS requests sent to FortiNAC will not be answered Hosts will not be registered Recommend at least a 4 hour maintenance window to complete the data migration and validation of the following functions: Administrative access Network Inventory Endpoint Visibility Network access scenarios Wired Wireless Remote (VPN) Security Policies Network Access Endpoint Compliance The amount of time required for the migration to complete is dependent upon the deployment size. It has been observed it can take as long as 30 minutes once the data transfer has started to the time the new appliance is running. If unexpected behavior occurs, the customer can revert to the original appliance.	Recommend at least a 4 hour maintenance window

Preparation Checklist – Features Requiring Access Configuration

FortiNAC-F systems have limited inbound access by default. In order for certain features to work properly, access must be allowed by setting the “allowaccess” command.

See chart below to determine which options will be required based upon the FortiNAC features currently in use.

1. Confirm if feature is configured using the Related FortiNAC UI View (if applicable). Click on the path to open the Admin Guide for more details on the view.

2. Use the Required column to mark those features.

   Note: Certain features are already marked as required: SSH, SNMP, HTTPS access for the Admin UI

   For additional details, see Open ports in the Administration Guide.

   Related Feature	Required	Related FortiNAC UI View	<“set allowaccess” option> / <port>
   PING is used by administrators to verify IP contact with FortiNAC eth0 and eth1		N/A	ping / port1 and port2
   SSH	X	N/A	ssh / port1
   Isolation scopes & Captive Portal		System > Config Wizard > Summary Portal > Portal Configuration Portal > Portal SSL* * "Valid SSL Certificate" is the only optional available as of v9.4.5, vF7.2.4 and above. SSL certificate will be required for the portal certificate target.	dhcp / port2 dns / port2 https / port2
   DHCP Fingerprinting		Users & Hosts > Endpoint Fingerprints	dhcp / port1
   Network Device Management	X	Network > Inventory	snmp / port1

   Device Change Notification from IPS/IDS devices using syslog		System >Settings > System Communication > Syslog files	syslog / port1
   Endpoint Connectivity Notification using syslog (e.g. FortiGate)		N/A	syslog / port1
   High Availability		System >Settings > System Management > High Availability	nac-ipc / port1
   FortiNAC Manager		FortiNAC Manager GUI Dashboard > Servers widget	nac-ipc / port1
   Local RADIUS Server mode		Network > RADIUS	radius-local / port1
   Proxy RADIUS mode		Network > RADIUS > Proxy	radius / port1
   Proxy RADIUS Mode using accounting		Network > RADIUS > Proxy	radius-acct / port1
   Persistent Agent		Dashboard > Persistent Agent Summary widget		nac-agent / port1 & port2
   Fortinet Security Fabric (FSSO)		Network > Service Connectors		fsso / port1
   Admin UI (port 8443) Control Manager (M): Manage FortiNAC Servers	X	https://<FortiNAC hostname or IP>:8443/		https-adminui / port1
   Admin UI (port 8080)		http://<FortiNAC hostname or IP>:8080/		http-adminui / port1
   Network Sessions		Users & Hosts > Network Sessions		netflow / port1

3. List the required options from the table above to chart below. Refer to this table during the Appliance Configuration step.

   Example:

   Feature Requirements:

   PING (ports 1 & 2)

   SSH

   Isolation scopes & Captive Portal

   DHCP fingerprinting

   Network Device Management

   High Availability

   Admin UI (port 8443)

   port1: set allowaccess ping ssh dhcp snmp nac-ipc https-adminui

   port2: set allowaccess ping dhcp dns https

   Port	Syntax
   port1
   port2